064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf.dll
Size

421KB
MD5

cef88c4eb3156742c9865de7275b9890
SHA1

17847f8eb7c5da15b4925102e1bc2702308d5f8b
SHA256

064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf
SHA512

4ef8dee2c5c54df0f1c60fa343a56ae4765e9f1ed65590764bc58cbfc3e3fec0345d8c228f302c9f5a28987dcbd63520e758aedda46226a182650e0022aa3970
SSDEEP

6144:AO/AhcWoi8yw1NJEi1OrEduMuGbzIW4FmNiI8ARVOVQFpCm:AcAhcWotJ1NWvOTuG3WYNAQbCm

Score

8^/10

bootkit persistence

Malware Config

Signatures

Blocklisted process makes network request 24 IoCs

flow	pid	Process
18	1340	rundll32.exe
23	1340	rundll32.exe
33	1340	rundll32.exe
37	1340	rundll32.exe
50	1340	rundll32.exe
55	1340	rundll32.exe
63	1340	rundll32.exe
69	1340	rundll32.exe
73	1340	rundll32.exe
79	1340	rundll32.exe
83	1340	rundll32.exe
87	1340	rundll32.exe
92	1340	rundll32.exe
96	1340	rundll32.exe
102	1340	rundll32.exe
106	1340	rundll32.exe
110	1340	rundll32.exe
114	1340	rundll32.exe
118	1340	rundll32.exe
122	1340	rundll32.exe
126	1340	rundll32.exe
130	1340	rundll32.exe
134	1340	rundll32.exe
138	1340	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\-37-76-51108	rundll32.exe
File created	C:\Windows\SysWOW64\192e1f	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 1340	4972	rundll32.exe	81
PID 4972 wrote to memory of 1340	4972	rundll32.exe	81
PID 4972 wrote to memory of 1340	4972	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\064d473b7ad14eba851626e43b8e9edf51a5c43c1a357780e8bdb6fa2a41b4cf.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-132-0x0000000000000000-mapping.dmp

Download